Game developer Valve has fixed critical four bugs in its popular Steam online game platform. If exploited, the flaws could allow a remote attacker to crash an opponent’s game client, take over the computer – and hijack all computers connected to a third-party game server.
The vulnerabilities, which were disclosed on Thursday, were discovered in the network library of Steam, which is known as Steam Sockets. This library is part of a toolkit for third-party game developers.
“Video games have reached an all-time-high during the coronavirus pandemic,” Eyal Itkin, security researcher at Check Point, said in a
Thursday analysis. “With millions of people currently playing online games, even the slightest security issue can be a serious concern for gaming companies and gamer privacy. Through the vulnerabilities we found, an attacker could have taken over hundreds of thousands of gamer computers every day, with the victims being completely blind to it.”
Researchers disclosed the flaws to Valve in September; the vendor rolled out fixes after three weeks to different Steam games. Researchers said that in order to apply the patches, Steam gamers were required to install the update before they could launch a game.
The four flaws (CVE-2020-6016, CVE-2020-6017, CVE-2020-6018 and CVE-2020-6019) exist in Steam Sockets prior to version v1.2.0. The first three CVEs score 9.8 out of 10 on the CVSS scale, making them critical in severity, while the fourth ranks 7.5 out of 10, making it high-severity.
threatpost.com
